1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Big Bad Virus?

Discussion in 'Windows XP' started by xenxes, Nov 7, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. xenxes

    xenxes Thread Starter

    Joined:
    Nov 7, 2007
    Messages:
    4
    Usually viruses I come across are a breeze, run a scanner delete processes and they go away, never had to reformat... I thought I'd ask around before I end up formatting ALL of my hard drives and start over. Recently I've been getting a few very serious symptoms on my machine running XP S2:

    Symptoms:

    1) Majority of executables have bytes appended to them, i.e.
    a) download via firefox, executables become larger after downloaded
    b) download via bittorrent, executables become corrupt mid-download, file size larger than normal
    c) extract an executable, file size becomes larger than normal, usually by ~7168 bytes
    d) change .exe to something else in archive, extract, file size is the same, rename to exe, file size increases

    2) DEP comes up for way too many programs, including Microsoft ones
    a) when I login, userinit is prevented by DEP, I ctrl-alt-delete, task manager is prevented by DEP
    b) I have to leave the DEP warning window open and eventually get task manager to run, then run explorer multiple times all the while DEP is spamming me with warnings
    c) I end task for dumpprep and the warning window, it eventually goes away, Windows behaves normally after


    Tried:

    1) Failed System Restore
    2) ComboFix, nothing
    3) HiJackThis, I eliminated all the suspicious processes, I get the eerie feeling that whatever this is attached itself to known processes
    4) Complete in-depth scan of all HDs with ESET NOD32 on the latest virus DB, found nothing
    5) Chkdsk did nothing


    You know, at first I thought whatever this was was neat, now it's just freaking me out. Any ideas? :(
     
  2. xenxes

    xenxes Thread Starter

    Joined:
    Nov 7, 2007
    Messages:
    4
    Thought I'd post my HJT log, seems pretty clean to me.

    Logfile of HijackThis v1.99.1
    Scan saved at 12:31:44 AM, on 11/8/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\HijackThis\HijackThis.exe

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
    O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
    O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
    O4 - HKLM\..\Run: [egui] "C:\Program Files\Eset\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    O4 - HKCU\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /M "Stylus CX3800" /EF "HKCU"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\Eset\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - Eset - C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
     
  3. TVDinners

    TVDinners

    Joined:
    Nov 6, 2007
    Messages:
    7
    I got a virus just like that 3 weeks ago from a downloaded file, couldn't open msconfig and dep kept coming up. Over 300 executables were overwritten with about 7k added to each one. I'm sure it actually hijacked my antivirus as well. I ended up booting into safe mode with network support. Reinstalled my anti virus, updated it and another version as well, did both scans. It cleared many of them, but after booting normally, the av kept finding them. it was overwhelming on my system. I finally formatted and reinstalled.
     
  4. xenxes

    xenxes Thread Starter

    Joined:
    Nov 7, 2007
    Messages:
    4
    Okay I tried installing NOD32 and AVG through Safe Mode, won't let me. What's funny is that I'm now installing via CD/Locked USB Drive and I get a warning message of not being able to WRITE to it every time I execute, so I know for a fact it's overwriting/appending bytes to my executables upon runtime/rename, even in SAFE MODE! and Safe Mode crashes a lot now.

    This sucks. I have 3 hard drives with potentially infected executables.

    I guess next I'll try to scan this computer via my laptop through a network connection... lol watch my laptop get infected too :p

    *edit: nevermind I think I found out what it is..
    http://www.bitdefender.com/VIRUS-1000163-en--Win32.Virtob.

    or some variation of it, BD is just deleting every infected file w/o asking me, ugh, might as well as just reinstall. Pretty nasty, attaches to WINLOGON.
     
  5. xenxes

    xenxes Thread Starter

    Joined:
    Nov 7, 2007
    Messages:
    4
    So.. an update...

    BD Alias is Win32.Virtob.BQ which infected EVERY .EXE FILE on ALL DRIVES, there were also a few Generic.Virtob.????s floating around. A few of my system restore exes are also infected with Trojan.Runas.D, Trojan.Downloader.Agent.ECZ, Trojan.Downloader.JJAJ, Trojan.Dropper.RKW. Selected .HTML and .PHP files were also infected. None of the files are disinfectable.

    Programs Tried: AVG, BD, Dr.Web CureIt, NOD32, Kaspersky - only BD detects my variation "Win32.Virtob.BQ" and just deletes them, everything else can't even detect it.

    So far 7000+ infected files and still searching. Going to at least delete all infected files before I format my OS partition and reinstall...

    More info here: http://www.bitdefender.com/VIRUS-1000163-en--Win32.Virtob

    Awesome.
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/648988

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice